Mitiga Announces $30M Series B Led by SYN Ventures READ THE NEWS

Customers
Why Mitiga
Request a DemoEmergency Assistance
Home
»
Blog Main

There is an accepted notion in some corners of cybersecurity that maintains “there is no peacetime.” For many of us, that is a daunting premise — as it discounts extensive CISO efforts to extend multi-year investments in cybersecurity tools, innovation, and resources to address ongoing cyberattacks focused on business services transitioned to cloud and SaaS platforms.  

In cloud- and SaaS-based Incident Response, however, there is an acknowledged “peacetime” that equates to the intervals occurring between real-world breach attempts and associated organizational investigations. So many IR vendors are front-and-center in assisting their organizational efforts to identify breach attempts and coordinate efficient investigative response activities, but their customers frequently question the value of their annual subscriptions with their contracted provider between firefights.

Organizations relying on large-scale cloud and SaaS investments should rightfully expect their IR vendor to provide a regular program of readiness activities that will assist security teams’ efforts to make their business better prepared to withstand the next cyberattack. In response to these customer expectations, here’s how IR vendors should respond.

Don’t delay forensic data acquisition and storage

Establishing IR peacetime value should actually begin during customer onboarding, with upfront cloud and SaaS log collection using established connectors into de facto sources like AWS, GCP, Azure, MongoDB, Snowflake, Okta, Salesforce, and Slack. Proactive forensic data acquisition reduces the risk, execution, and downtime associated with standard investigations by enabling cybersecurity teams to commence IR activities immediately after the breach is identified, leveraging securely stored, easily queried forensic data.  

Don’t forget — the longer the data storage provided by the vendor, 1,000 days for example, the more successful your future incident response activities.

Establish a shared-responsibility model during onboarding

In addition to proactive data collection, look for IR solutions focused on establishing a shared-responsibility partnership that enables your organization to maximize your vendor’s IR personnel, technology, data, and recommended practices. This model helps organizations minimize critical incidents and quickly return to business as usual. Relying on the continuity of known IR vendor contacts across both investigations and peacetime activities resolves questions about associated third-party staffing availability and delays that can impede both incident response and building cyber resilience.

Expect incident response readiness programs to enhance organizational cyber resilience

Lessons-learned from recent, successful IR investigations are great – but why should they be limited to in-house activities? IR vendors should apply real-world cloud and SaaS threat analysis activities found “in the wild” or another account across the entire customer base, including yours. Proactive threat hunts dedicated to your organization’s environment should be provided on a regular cadence, quarterly, for example.

In complementing this focus on proactive threats, your organization’s IR resilience should involve vendor-provided Breach and Readiness Assessment programs that identify gaps and provide recommended-practices guidelines on how best to close them.

Leverage vendor automation to improve your cloud and SaaS IR investigation efficiencies

Hands-on expertise in maximizing your forensic data in successful IR investigations is a strong contributor to minimizing disruptions. So, too, is IR automation that reduces the investigative response process.  

Derive more value from your stored forensic data

IR vendors should provide assistance in helping organizations overcome the challenging differences that exist in cloud/SaaS log collection versus an on-premises model by providing recommended-practices aligned with industry standards for forensic investigation, including logging formats, forensic gathering procedures, and default log retention. Customer demands for data lake access and management should apply to the cloud and SaaS forensic baseline, as well — ask IR vendors about their policies for providing direct customer access to collected logs.

LAST UPDATED:

January 23, 2025

Don't miss these stories:

Cyber Trends for 2024: What Security Leaders Should be Executing Next

As we hurtle into this new year, it’s already clear that there is an evolving set of cyber risks that organizations will need to contend with successfully to manage threats and grow their organizational resilience in 2024. Below, I’ll outline three of the biggest ones, sharing recommendations and execution checklists that can help enterprises enhance their threat readiness and elevate security postures as the threat landscape continues to evolve.

How to Protect Your Business From the Most Dangerous Cyberthreats

Ransomware attacks are on the rise, and it now more important then ever to be prepared. Be prepared by having an up-to-date incident response plan. Learn more.

Stop Ransomware Attackers From Getting Paid to Play Double-Extortionware Games

In the past, many companies relied on backups to get back to business quickly if they were attacked. Reliable, secure backups separated from the primary environment made it much more difficult for an attacker to access and encrypt them. That long-standing process no longer deters double-extortionware actors — instead, today’s attackers not only encrypt the data but also exfiltrate it.

SEC Cyber Disclosure Rule FAQ: What Leaders are Asking Us

The U.S. Securities and Exchange Commission (SEC) recently implemented a new rule mandating stringent cybersecurity incident reporting and disclosure requirements for public companies.

Log4Shell - identify vulnerable external-facing workloads in AWS

Cloud-based systems should be thoroughly searched for the new Log4j vulnerability (CVE-2021-44228). But this is a daunting task, since you need to search each and every compute instance, from the biggest EC2 instance to the smallest Lambda function. This is where Mitiga can help.

How Transit Gateway VPC Flow Logs Help Incident & Response Readiness

In this blog, we will focus on the security and forensic aspects of Transit Gateway VPC flow logs and expand the way they can be used by organizations to respond to cloud incidents.